Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: HTTP AUTH BASIC monowall.

From: Tim <tim-security () sentinelchicken org>
Date: Mon, 13 Mar 2006 18:02:21 -0500
Although something else may have been intended by using the phrase
"password-authenticated key agreement", lets not forget that's all PKI is -
key agreement based on verifying a password.
At the server end, the site admins password is verified e.g. for SSL servers
At the client, if you're lucky, the user chose a hard to crack password.


Hmm... Your terminology is sounding a bit off.  Passwords are symmetric
keys.  PKI stands for Public Key Infrastructure.  I think what you mean
here is that the server's public key (contained in the certificate) is
verified based on a provided signature/challenge generated by the
server's private key, and by signatures of "trusted" certificate
authorities, along with a whole host of other things.  Sure the site
admins may protect their private key with a password, but even if they
don't, it has nothing to do with the PKI.

As for the client side, they usually use passwords, but they may also
use client-side certificates in SSL with no password at all.


That, and the access controls on each ndpoint is all that authenticates any
PKI-based schema.


True, if you are worried about local attackers at the endpoint.  These
access controls are usually permissions in conjunction with a symmetric
key (password).

tim

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: